[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 327 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 327

     To prohibit entities from requiring individuals to submit to 
arbitration for disputes arising from a security breach, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            January 8, 2019

  Mr. Ted Lieu of California introduced the following bill; which was 
            referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
     To prohibit entities from requiring individuals to submit to 
arbitration for disputes arising from a security breach, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ending Forced Arbitration for 
Victims of Data Breaches Act of 2019''.

SEC. 2. PROTECTION OF DATA SECURITY BREACH VICTIMS.

    An entity may not require, as part of a customer or other similar 
agreement, an individual to agree to submit any dispute related to a 
security breach, including any dispute related to identity theft, to 
arbitration.

SEC. 3. APPLICABILITY.

    A provision of an agreement entered into prior to the date of the 
enactment of this Act, that violates section 2, is void.

SEC. 4. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Unfair or Deceptive Acts or Practices.--A violation of section 
2 shall be treated as an unfair and deceptive act or practice in 
violation of a regulation under section 18(a)(1)(B) of the Federal 
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or 
deceptive acts or practices.
    (b) Powers of Commission.--The Commission shall enforce this Act in 
the same manner, by the same means, and with the same jurisdiction, 
powers, and duties as though all applicable terms and provisions of the 
Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated 
into and made a part of this Act. Any person who violates section 2 
shall be subject to the penalties and entitled to the privileges and 
immunities provided in that Act.
    (c) Rules.--The Commission shall promulgate, under section 553 of 
title 5, United States Code, such rules as may be necessary to carry 
out the provisions of this Act.

SEC. 5. ENFORCEMENT BY STATES.

    (a) In General.--If the attorney general of a State has reason to 
believe that an interest of the residents of the State has been or is 
being threatened or adversely affected by a practice that violates 
section 2, the attorney general of the State may, as parens patriae, 
bring a civil action on behalf of the residents of the State in an 
appropriate district court of the United States to obtain appropriate 
relief.
    (b) Rights of Federal Trade Commission.--
            (1) Notice to federal trade commission.--
                    (A) In general.--Except as provided in clause 
                (iii), the attorney general of a State, before 
                initiating a civil action under paragraph (1), shall 
                provide written notification to the Federal Trade 
                Commission that the attorney general intends to bring 
                such civil action.
                    (B) Contents.--The notification required under 
                clause (i) shall include a copy of the complaint to be 
                filed to initiate the civil action.
                    (C) Exception.--If it is not feasible for the 
                attorney general of a State to provide the notification 
                required under clause (i) before initiating a civil 
                action under paragraph (1), the attorney general shall 
                notify the Commission immediately upon instituting the 
                civil action.
            (2) Intervention by federal trade commission.--The 
        Commission may--
                    (A) intervene in any civil action brought by the 
                attorney general of a State under paragraph (1); and
                    (B) upon intervening--
                            (i) be heard on all matters arising in the 
                        civil action; and
                            (ii) file petitions for appeal of a 
                        decision in the civil action.
    (c) Investigatory Powers.--Nothing in this subsection may be 
construed to prevent the attorney general of a State from exercising 
the powers conferred on the attorney general by the laws of the State 
to conduct investigations, to administer oaths or affirmations, or to 
compel the attendance of witnesses or the production of documentary or 
other evidence.
    (d) Preemptive Action by Federal Trade Commission.--If the Federal 
Trade Commission institutes a civil action or an administrative action 
with respect to a violation of section 2, the attorney general of a 
State may not, during the pendency of such action, bring a civil action 
under paragraph (1) against any defendant named in the complaint of the 
Commission for the violation with respect to which the Commission 
instituted such action.
    (e) Venue; Service of Process.--
            (1) Venue.--Any action brought under paragraph (1) may be 
        brought in--
                    (A) the district court of the United States that 
                meets applicable requirements relating to venue under 
                section 1391 of title 28, United States Code; or
                    (B) another court of competent jurisdiction.
            (2) Service of process.--In an action brought under 
        paragraph (1), process may be served in any district in which--
                    (A) the defendant is an inhabitant, may be found, 
                or transacts business; or
                    (B) venue is proper under section 1391 of title 28, 
                United States Code.

SEC. 6. PRIVATE RIGHT OF ACTION.

    (a) In General.--An individual who is injured by a violation of 
section 2 may bring a private right of action in any court of 
appropriate jurisdiction for rescission and restitution, as well as for 
all damages and may be awarded injunctive relief against a violation of 
such section. The individual shall also be entitled to recover its 
costs of litigation and reasonable attorney's fees and expert witness 
fees, against any entity or person found to be liable for such 
violation.
    (b) Liability.--Every person who directly or indirectly controls a 
person liable under subsection (a), every partner in a firm so liable, 
every principal executive officer or director of a corporation so 
liable, every person occupying a similar status or performing similar 
functions and every employee of a person so liable who materially aids 
in the act or transaction constituting the violation is also liable 
jointly and severally with and to the same extent as such person, 
unless the person who would otherwise be liable hereunder had no 
knowledge of or reasonable grounds to know of the existence of the 
facts by reason of which the liability is alleged to exist.
    (c) Statute of Limitations.--No action may be commenced pursuant to 
this section more than the later of--
            (1) 2 years after the date on which the violation occurs; 
        or
            (2) 2 years after the date on which the violation is 
        discovered or should have been discovered through exercise of 
        reasonable diligence.
    (d) Venue.--An action under this section may be brought in--
            (1) the district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code; or
            (2) another court of competent jurisdiction.
    (e) Cumulative Right.--The private rights provided for in this 
section are in addition to and not in lieu of other rights or remedies 
created by Federal or State law.

SEC. 7. DEFINITIONS.

    In this Act--
            (1) the term ``security breach''--
                    (A) means a compromise of the security, 
                confidentiality, or integrity of, or the loss of, 
                computerized data that results in, or there is a 
                reasonable basis to conclude has resulted in--
                            (i) the unauthorized acquisition of 
                        sensitive personally identifiable information; 
                        or
                            (ii) access to sensitive personally 
                        identifiable information that is for an 
                        unauthorized purpose, or in excess of 
                        authorization;
                    (B) does not include any lawfully authorized 
                investigative, protective, or intelligence activity of 
                a law enforcement agency of the United States, a State, 
                or a political subdivision of a State, or of an element 
                of the intelligence community; and
            (2) the term ``sensitive personally identifiable 
        information'' means any information or compilation of 
        information, in electronic or digital form that includes one or 
        more of the following:
                    (A) An individual's first and last name or first 
                initial and last name in combination with any two of 
                the following data elements:
                            (i) Home address or telephone number.
                            (ii) Mother's maiden name.
                            (iii) Month, day, and year of birth.
                    (B) A Social Security number (but not including 
                only the last four digits of a Social Security number), 
                driver's license number, passport number, or alien 
                registration number or other Government-issued unique 
                identification number.
                    (C) Unique biometric data such as a finger print, 
                voice print, a retina or iris image, or any other 
                unique physical representation.
                    (D) A unique account identifier, including a 
                financial account number or credit or debit card 
                number, electronic identification number, user name, or 
                routing code.
                    (E) A user name or electronic mail address, in 
                combination with a password or security question and 
                answer that would permit access to an online account.
                    (F) Any combination of the following data elements:
                            (i) An individual's first and last name or 
                        first initial and last name.
                            (ii) A unique account identifier, including 
                        a financial account number or credit or debit 
                        card number, electronic identification number, 
                        user name, or routing code.
                            (iii) Any security code, access code, or 
                        password, or source code that could be used to 
                        generate such codes or passwords.
                                 <all>